A new backdoor dubbed Serpent has been discovered infecting French entities in the construction and government sectors. The backdoor is installed using new methods, which include steganography, Tor proxy and legitimate package installer software.
The attack starts with an email that contains a weaponized infecting Microsoft Word document, written in French. The document lures the user into enabling macros to be able to read the document, which is a very common tactic for attackers to start an infection on a targeted computer.
The email’s subject, “Candidature” followed by a first and last name, is the usual French word used for “job application” and is another common lure used by attackers to entice a user to open a malicious document.
Once the macro is enabled, it downloads an image located on a compromised website. That image contains an encoded PowerShell script, hidden using steganography.
That PowerShell script downloads, installs and updates an installer package known as Chocolatey. It is a software management automation tool for Windows systems. It wraps installers, exe files, archives and scripts, all into a compiled package. In turn the Chocolatey installs the Python programming language, including pip, the Python package installer.
The next step consists of installing various dependencies including PySocks, a Python tool that enables users to send traffic through Socks and HTTP proxy servers.
The infection chain stops with a command to a URL shortener link which redirects the user to the legitimate Microsoft Office help website.
The installation of Chocolatey and Python tools is something that can greatly help the attack to stay under the radar, as the tools are legitimate and likely not to trigger any alert.
Researchers rarely observes steganography in campaigns. The last found tool using schtasks.exe is also unique and previously unobserved and the way the Tor network is used is uncommon and makes it harder to stop the threat, since the final server’s location is unknown and cannot be simply shut down.